What is Wrui?
Wrui is among the latest and more sophisticated ransomware threat reported to us. Wrui is highly dangerous and is very difficult to detect before it has completed its malicious agenda.
Most of us have all kinds of important data files stored on their PCs’ hard drives – important documents, spreadsheets, audio or video files, images and other similar types of valuable data. However, most users have no backup of their important files and this is exactly what the creators of malware viruses that belong to the ransomware cryptoviruses are counting on. Ransomware is an infamous and highly-dangerous form of malware typically used for the purposes of blackmailing and money extortion. There are two big sub-categories of ransomware that differ in the way they operate: screen lockers and file-encrypting ransomware viruses (also known as cryptoviruses).
The first and less advanced one is the subcategory of ransomware screen-lockers. These are malicious programs that can block access to the screen/desktop of the user’s device. The malware would prevent the user from accessing or using anything on their device by simply generating a screen-wide banner/ pop-up that is superimposed on the screen and makes it impossible to interact with anything on the device. A ransom is demanded by the hackers and the user is supposed to pay that ransom if they want to have the banner/ pop-up removed. However, in most cases, it’s actually not too difficult to deal with such a ransomware virus. Unfortunately, the same cannot be said about the cryptovirus sub-type, to which Wrui belongs.
Is Wrui a virus?
Threats like the Wrui virus are the worst – they are highly advanced and it is oftentimes impossible to fully recover from their effects. Instead of restricting the access to your computer, the Wrui virus scans your HDD and locates all files that belong to certain commonly used file formats (e.g. document files, image, audio and video files and in some cases even system data).
Once all targeted files have been accounted for, the malware starts an encryption process during which each file gets encrypted by the ransomware. Once the process is finished, the only way of accessing the encrypted data is through the use of a special key that only the hacker has. This key is the object of the blackmailing which is to follow soon after. Once all data has been sealed, the user is notified through a ransom note generated by the malware program that they are supposed to make a payment to the hackers if they want to be given the decryption key for their files. A good example of such a virus is Wrui – this is a relatively new representative of the ransomware cryptovirus category and currently there are quite a lot of users who are struggling with this threat. If you are one of them, keep on reading because on this page we have posted a detailed guide for removing Wrui alongside with some suggestions for recovering the sealed data without making the ransom payment.
How to decrypt Wrui files?
The Wrui file encryption itself causes no damage or harm to anything on your PC. The Wrui file encryption is actually what allows the cryptovirus to operate in silence without giving itself away through any visible symptoms.
On top of that, it’s no secret that a lot of otherwise reliable antivirus programs have difficult time detecting ransomware threats like this one exactly because no actual damage is being inflicted on the system or on the data. Some lucky users might be able to spot the infection before it’s too late if they manage to notice the potential CPU and RAM spikes that ransomware viruses tend to cause. However, examples where this has happened are rather rare. Ransomware cryptoviruses truly are some of the sneakiest ans stealthiest forms of malware and this is something that makes them that more difficult to deal with.
We can’t promise you that our guide will enable you to recover all your files but at least it won’t cost you anything to try it out. On the other hand, if you go for the ransom transaction, you might simply lose your money without getting the key – after all those are criminal hackers you are dealing with and as such they are probably not the most trustworthy people. As far as the future protection of your PC is concerned, make sure you don’t go to any shady sites and that you only download stuff from reliable sources. Also, abstain from clicking on random ads or opening spam e-mails cause those are oftentimes used as malware distribution tools. Last but not least, always have some form of security software on your PC and do not forget to regularly make backups of your important files in order to keep them safe in case all other precaution measures have failed.
Remove Wrui Virus
The first step is to find and stop the process(s) of the Ransomware to prevent further encryption of your files and to make the virus removal easier. You can see the currently running processes on your computer from the Processes tab of the Task Manager. To go there, press the Ctrl + Shift + Del key combination from the keyboard and select Processes. There, look for items with suspicious or unfamiliar names that are using up an unusually big portion of your computer’s resources (RAM and CPU). It can help you single out the Ransomware process if you quit all currently open programs so that their processes would quit as well and there will be less items to search through to in the Task Manager. If you think that you may have figured out which process is coming from Wrui, type its name in Google or in another reputable search engine and press Enter to see what results come up. In some cases, a legitimate system process could look like it is malicious so it is important to rule out this possibility before you proceed to deal with the process in question.
If your online search confirms that the process isn’t from your OS, proceed to right-click on it and then select the Open file location button. Use the scanner we have provided you with below to scan each of the files from that folder or use your own antivirus or anti-malware program if you have one on your PC for the scan. In fact, it’s best if you use both options for maximum certainty.
If even a single file is flagged as malware, go back to the questionable process in the Task Manager, right-click on it, select End Process Tree and once this is done, delete the whole folder that is its file location. If one or more files from that folder can’t be deleted and this prevents you from deleting the folder itself, delete whatever you can from inside the folder and go to the next step. Once the rest of this removal guide is finished, be sure to come back to the file location folder and try to delete it again – by that time, you deleting that folder should prove to be no problem.
WARNING! READ CAREFULLY BEFORE PROCEEDING!
The next thing you ought to do is boot your computer into Safe Mode to keep any processes related to the Ransomware that you may have missed from being run automatically. On the following link, you can find instructions on how start your PC in Safe Mode.
Press Winkey + R from your keyboard, type msconfig, and press the Enter key. Once the System Configuration window opens, select Startup from the tabs and then proceed to uncheck every item from the list of startup items that has Unknown listed under the Manufacturer column as well as all items that seemunfamiliar and potentially related to Wrui.
Finally, select the OK button to save the changes and apply them and then move on to the next step.
You must place this line “notepad %windir%/system32/Drivers/etc/hosts” (without the quote marks) in the Start Menu search bar and press Enter. Look at the bottom of the text from the notepad file named Hosts that shows up on your screen and if there are any strange IP addresses (or any other lines of text) written right below “Localhost“, copy them and send then to us using the comments section on the current page. We will have a look at those IP and if we determine that they are likely related to Wrui, we will tell you to delete them from Hosts in our reply to your comment.
After you delete the IPs (if that’s what we told you to do), Save the Hosts file and proceed to Step 5.
Important! In this step, you will have to locate items related to Wrui in the Registry of your PC and delete them. It is very important to only delete items from the Registry if you are certain that they are from the virus or else you may risk making your system unstable by deleting the wrong thing. Therefore, remember that the comments section below this article is open to you if you want to ask us about a Registry item that you suspect of being linked to Wrui but are not totally sure.
Press Winkey + R again, type in regedit in the Run search field, and hit Enter to start the Registry Editor. If the OS demands that you give your Admin permission to the Editor to make changes to the computer, click on Yes to proceed.
When the Registry Editor appears on your screen, press Ctrl + F, type the name of the virus, and press Enter or click on Find Next. This will search the Registry for items that contain Wrui in their names and show you the first such item. If anything gets found, click on it, press Del, and then click on Yes to delete that item. The proceed to perform the search again, delete the next found item, and repeat the process until nothing is left with the name Wrui in the Registry.
Following this, navigate to the next directories from the Registry and look in them for folders/items that have unusual names that stand out from the rest. Malware programs and other unwanted software tend to add folders with long names that consist of randomized characters on those Registry locations so it shouldn’t be too difficult to spot such folders. Still, if you are in doubt, remember to consult us first and only then proceed with the deletion if we confirm that the item(s) you aren’t sure about is to be deleted.
- HKEY_CURRENT_USER > Software
- HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
- HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main
For the final step of this guide, you must copy each of the next folder shortcuts in the Start Menu field and press Enter to access the folders they correspond to.
Once each folder opens, sort the items in it by order of date and proceed to delete everything created since the virus has infected your computer. In the folder named Temp, simply delete all files that are stored there.
Lastly, we once again remind you to delete the File Location of the malware process alongside all files that are still stored in it (Step 1) if you haven’t been able to do this earlier.
How to Decrypt Wrui files
Deleting the Wrui virus is important to secure your computer and to prevent further data encryption but it won’t automatically recover your files. To restore your data without paying the ransom, you will have to perform some additional actions that we have explained in a separate How to Decrypt Ransomware guide that you can access by clicking on the provided link. Go to this guide and try the methods listed there to hopefully recover the files that Wrui has managed to lock up. Just make sure that before you go there, you have made sure that the virus has been fully removed from your PC or else anything you may manage to recover could get encrypted all over again if Wrui is still present in the system. The free malware scanner available on our site can help you determine if there are any traces from the Ransomware left on your computer by allowing you to scan any files that you deem suspicious.
The guide we’ve provided you with on this page should allow most users to fully eradicate the Wrui threat. However, if you suspect that the virus is still on your computer, it would be a great idea to use the advanced malware-removal tool that you will find linked on the current page as it can both quickly find and take care of any remnants of the Wrui virus as well as provide your system with powerful protection against malware in the future.